All Posts

As the NHS continues to restructure and Integrated Care Boards (ICBs) take on broader system leadership roles, it’s increasingly common to see ICBs offering shared or centralised Data Protection Officer (DPO) services to GP practices. On the face of it, this makes sense: consistency, efficiency, shared expertise, and reduced burden on already stretched practices. But there is a governance issue sitting underneath this approach that deserves some careful attention, particularl

Deepfakes are being used to drive financial gain  through deception. Artificial intelligence has unlocked amazing capabilities, from enhancing video calls to creating convincing virtual actors. But as with all powerful technologies, it has a dark side. Deepfakes , AI-generated images, videos, or audio that convincingly imitate real people — are no longer fringe curiosities. They are increasingly being used to misinform, manipulate and, in some cases, make money off deception.

In my work with general practice, it’s not unusual to see parents who are separated — sometimes amicably, sometimes anything but. A pattern many of my practice customers describe is that: a child’s care or the practice themselves become a stick to beat one another with. The practice is asked to “take a view,” restrict access, validate a diagnosis narrative, or produce a letter that helps one parent “win” against the other. If you’ve felt that pressure, you’re not alone. And i

A few weeks ago, one of my customers asked me what I thought about bossware . Then, almost immediately, the same theme started cropping up in my legal journals. Articles on workplace monitoring, algorithmic oversight, “productivity” tooling reframed as compliance. But this isn’t a new problem as COVID was the turning point. The sudden shift to remote work came with an equally sudden expansion of digital monitoring. In the moment, it felt quite different. But remote and hybrid

When something goes wrong, most of us would rather over-report than under-report. It feels safer, especially in high risk domains where trust is fragile and the impact can be significant. But the ICO is clear: defensive reporting isn’t good practice , and defensive notification to individuals can cause real harm. This post is about staying inside the legal thresholds, and staying confident in our decisions. A practical lens for assessing harm Before we get into thresholds, it

In healthcare, “being open with patients” can mean more than one legal obligation. Two common ones are the statutory Duty of Candour and patient notification after a personal data breach. They can feel similar because they both involve openness, apology, and clear communication, but they come from different laws and apply in different situations. Sometimes only one applies; occasionally both apply together. Understanding the difference helps practices respond confidently and

In our role as DPO for a large number of busy GP practices, we are hyper aware of the importance of how organisations handle subject access requests. This process is about trust, transparency and accountability. Staying on the right side of compliance means (1) monitoring disclosure requests (2) actively engaging with your Data Protection Officer (DPO) (3) avoiding the “radio silence” trap. 1. Monitoring Disclosure Requests A subject access request a request under the right

Hello again! I'm writing to brief you on a significant and fast-evolving cyber threat affecting organisations that rely on cloud authentication and multi-factor protection. The Tycoon 2FA phishing kit represents a meaningful shift in how attackers can bypass MFA, and it is important that all organisations understand the risk and strengthen their defences accordingly. What has happened Tycoon 2FA is a commercially available phishing toolkit that takes the old idea of a fake lo

Don't use the word consent, it's misleading AI in healthcare is powerful—and different. It’s new to many patients, and care settings come with an inherent power imbalance: people are unwell, worried, time-pressed, and reliant on clinicians. Because we are not permitted to use consent (the Information Commissioner has confirmed this to us), the ethical—and practical—answer is more transparency, earlier, and in layers. Putting it bluntly: it is not acceptable to spring a one-li

Opacity in your supply chain isn’t always about them having something to hide. Opacity has many faces; some calculated, some careless, and some very ordinary. When we buy or inherit algorithmic systems, we may find that AI vendors speak the language of the sales deck and that algorithmic snake oil. Yet when DPOs ask how the model actually works, that models are in the pipeline and their source, the conversation often stops at “commercial sensitivity" or worse, confused silenc

Let’s be honest - when most people think about information security these days, their minds jump straight to the cyber side of things. Firewalls, MFA, phishing, ransomware etc, - the digital world tends to dominate the conversation. But here’s the thing, even the best cyber security in the world won’t help if someone can simply walk into your office and plug a USB stick into something or reach over the counter and grab some sensitive paperwork. ISO 27001 Physical Controls are

I find that, when small organisations start exploring AI, whether to automate recruitment, triage enquiries, or analyse customer data, the conversation usually begins with excitement. New efficiencies, lower costs, smarter insights are all on the table. But the more important conversation, the one that rarely takes place early enough, is about safety. Not safety in the technical sense of cybersecurity, but in the broader human sense: is this system safe to use on the people y

It’s becoming common to see employees using their own AI tools at work; like a comms officer who drafts with ChatGPT, a finance manager who automates reconciliation through a plug-in, a policy lead who runs data through an “AI summariser” to save time. Small, pragmatic innovations emerge as people find ways to work within systems that often struggle to keep pace with real-world demands. For Data Protection Officers, this “Bring Your Own AI” trend is both inevitable and risky.

Across the NHS and wider health sector, locums and temporary clinicians are often essential to keeping services running. They move between organisations, adapt quickly, and bring a wealth of experience. But increasingly, my customers tell me, they’re also bringing their own technology. That might mean the familiar dictation software they use in their main practice, a personal transcription app, or even an AI-powered scribe that listens, writes, and structures their notes. Whi

When building AI systems, missing data is unavoidable. Maybe patients didn’t report their income, maybe students skipped a survey, maybe a sensor failed. To keep things moving, developers often use quick fixes like mean imputation , replacing missing values with the average of what’s there. It sounds harmless. But in practice, it can quietly introduce bias, reduce accuracy, and create unfair outcomes. What is imputation? Imputation is the process of filling in missing values

AI in primary care is no longer optional. It is already being built into the systems GP surgeries are expected to use daily. And when...

You know that feeling when you think you've finally got a handle on your cyber security ? You’ve got the shiny firewall, passwords that...

It’s weird how being watched has been so normalised. The cameras in the street, the apps on your phone, all feeding invisible systems...

“It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.” Warren...

AI has been hyped as the solution to almost every challenge, fuelled by a kind of technosolutionism: the belief that technology alone can...